Oracle releases new Java patch to address this week’s McRat problem

It's an old but necessary hat—Oracle says install its new security patch ASAP.

Oracle has released an emergency Java patch addressing the latest in-the-wild exploit targeting the software. The company suggests users apply this update "as soon as possible" due to "the severity of these vulnerabilities." The full patch description and download is available through Oracle's Technology Network (you can also get the patch through the software's auto-update).

This particular vulnerability is being exploited to install a remote-access trojan dubbed McRat. The attacks targeted Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. Security Editor Dan Goodin reported on the issue just three days ago, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.

It almost goes without saying—Java security has left something to be desired lately. High profile companies such as Facebook, Apple, and Twitter all fell at the hands of Java recently. These businesses disclosed that their computers were compromised by exploits later linked to a developer website hacked into a platform for Java exploits. Here at Ars, you can peruse nine separate stories involving Java exploits within the last month alone.

This stuff does not belong in a browser. Make browser plugins optional, not the standard, for the JRE (and JDK). And stop reenabling them on updates!

I now have Linux VM for the sole dedicated purpose of handling my tax stuff, which is necessarily done online and requires Java applets. This seems reasonable from one perspective, but batshit insane from another.

I know this is often mentioned as a glib answer but I'm starting to think its the right one. The new exploits pop up within days of the patches. Really how many more do the bad guys have queued up? Updating only seems to buy a few days, and maybe not even that! At this point isn't it rational to assume that the next exploit is already being rolled out? Same story with Flash. There just seems to be an endless string of exploits. Since it takes days or weeks for a new exploit to be detected and the patch rolled out I'm pretty much always vulnerable if the thing is installed.

I occasionally use the Java plug-in for work, but I still gave up and uninstalled it completely (updates were not working right). I figure I will put it off as long as possible, and then install only when needed. At the current rate that ought to skip me past three or four updates at least.

Anybody starting to suspect ask.com is behind all these exploits? How else are they going to get people to install their stupid toolbar? I had similar suspicions about McAfee and Flash/Reader, but he's had other things to worry about lately.

^^Hattori is absolutely right. Java is a fine platform for trusted apps (I'm thinking Eclipse, Netbeans), but it's past time to get out of the browser. Continuing to install the plug-ins by default is approaching malfeasance. Well, actually, if I did it to a client, it would be. But I'm not paying Oracle, so I guess they're allowed.

I know this is often mentioned as a glib answer but I'm starting to think its the right one. The new exploits pop up within days of the patches. Really how many more do the bad guys have queued up? Updating only seems to buy a few days, and maybe not even that! At this point isn't it rational to assume that the next exploit is already being rolled out? Same story with Flash. There just seems to be an endless string of exploits. Since it takes days or weeks for a new exploit to be detected and the patch rolled out I'm pretty much always vulnerable if the thing is installed.

I beginning to agree with you about uninstalling Java completely. Unfortunately I probably have some apps that are written in Java or need the JVM.

Thanks to Ars I've taken steps to to find an alternative for the only service i regularly used which used java (the one use i had for it on my systems). Removed java from each of the computers at home and i never felt more at ease. Even ditched flash (i.e. the separate plugins which would never auto update) in the process and switched each system to chrome.Good riddance!

I know this is often mentioned as a glib answer but I'm starting to think its the right one. The new exploits pop up within days of the patches. Really how many more do the bad guys have queued up? Updating only seems to buy a few days, and maybe not even that! At this point isn't it rational to assume that the next exploit is already being rolled out? Same story with Flash. There just seems to be an endless string of exploits. Since it takes days or weeks for a new exploit to be detected and the patch rolled out I'm pretty much always vulnerable if the thing is installed.

It isn't rocket science.

Basic computer security has, for decades dictated:

If you don't need it, don't install it. If you can disable the bits you don't need on software you DO need, disable it.

The news of the release of Java 7 Update 17 came hours after reports surfaced that additional vulnerabilities in Java were discovered by researchers at Security Explorations of Poland. That firm said it has reported seven Java vulnerabilities to Oracle since Feb. 25, none of which were addressed in today’s update.

Researcher Adam Gowdiak found a handful of new vulnerabilities related to the Java Reflection API that would allow an attacker to bypass the Java security sandbox. Gowdiak reported two bugs on Feb. 25, one of which Oracle confirmed as a vulnerability, the other it refused to, calling it “allowed behavior,” the researcher said.

Gowdiak said his company provided Oracle with code samples proving the "allowed behavior" is not allowed in Java SE.

"The codes we delivered to Oracle trigger real security exceptions in a response to the attempt to gain same access as the one abused by Issue 54," he told Threatpost. "We've also found evidence in Oracle's own Java SE docs that contradicts the company's claims."

I know this is often mentioned as a glib answer but I'm starting to think its the right one. The new exploits pop up within days of the patches. Really how many more do the bad guys have queued up? Updating only seems to buy a few days, and maybe not even that! At this point isn't it rational to assume that the next exploit is already being rolled out? Same story with Flash. There just seems to be an endless string of exploits. Since it takes days or weeks for a new exploit to be detected and the patch rolled out I'm pretty much always vulnerable if the thing is installed.

Java is finally coming of age much the same as OSX, the same as Windows, the same as OpenSSH, and the same as Sendmail. I think we're approaching the critical point where they either find methods to shore up their code, or where they fade into irrelevance by having become not worth the trouble (and uninstalled).

In the short to medium term, what Oracle *really* needs to do is streamline the patching process so that they can get the ugly part over faster.

This stuff does not belong in a browser. Make browser plugins optional, not the standard, for the JRE (and JDK). And stop reenabling them on updates!

I now have Linux VM for the sole dedicated purpose of handling my tax stuff, which is necessarily done online and requires Java applets. This seems reasonable from one perspective, but batshit insane from another.

It's funny I do the exact same with the sad part that I have true crypt installed so if my system is compromised hopefully it will take them awhile to solve that puzzle.

It's funny I do the exact same with the sad part that I have true crypt installed so if my system is compromised hopefully it will take them awhile to solve that puzzle.

TrueCrypt will only protect systems at rest, such as a computer that is turned off. If the volume is mounted, then it can be read as if the encryption wasn't there. (That's the whole point of transparent disk encryption.)

Java is very secure! And it is very good, and very useful, for so many things! List below.

List of things I like with Java:1) Uh.... I've forgotten that one2) Well don't remember this one either3) Java is nice because, uh...4) No I can't find that one5) Gosh, I'm sure there was something I liked about Java6) Oh yes, one thing I love: the "uninstall" feature. Nice eh?

I repackaged Java 1.7U11 for deployment on 25 January. Today my colleague repackaged 1.7U17. At the moment, Java updates are averaging one per week since the end of January. That's absolutely ludicrous.

So this only applies to Java browser plugins? If I have them disabled, is there any need for updates?

I'm asking this because Java updater itself is broken. I need a 32-bit JRE+JDK, alongside 64-bit JRE. The 64-bit JRE removes everything 32-bit and it's a pain to do it manually. Otherwise the Java based system service stops working...

This stuff does not belong in a browser. Make browser plugins optional, not the standard, for the JRE (and JDK). And stop reenabling them on updates!

I now have Linux VM for the sole dedicated purpose of handling my tax stuff, which is necessarily done online and requires Java applets. This seems reasonable from one perspective, but batshit insane from another.

Agreed, I was just last night, forced to install the new JRE (after I thought I was done with it) because one of my applications runs on Java.

I'm ok with the application, which I trust, but why does it have to also install the browser plug-in?!

I'm gonna have to figure out a way to automatically disable them at boot time, if I can work out a script, which is again, increasingly reasonable yet batshit at the same time!

Oh, come on people. The same old tired comments from the same tired people... There is no need to remove Java from your system, just as there is no need to uninstall python, ruby or any other language. If you are running OSX, you already have python, perl and bash at the very least. Awk, sendmail and emacs are there too and they almost classify as a programming language. These languages aren't going to leap out of your computer and turn evil.

Java is a language. And yes, there is a Java browser plugin which is rarely used. So use one of the hundred browser plugins to disable Java in your browser for the sites you don't need it, or just turn off the browser plugin. That's all.

As a programming language, there is NOTHING about Java that makes it less secure than Objective C, C++ or a million other languages. As a browser plugin, well, we all agree that html5/css is the future and Java plugins/Flash will go away.

Java drives probably close to 50% [1] of the lines of code currently deployed in the world. It isn't going away.

[1] Yes, OK, that's a wild guess. But it is certainly more than 25% and less than 75%.

Has anyone from Oracle made any sort of public comment about this insanity?

I'm not expecting them to actually come clean and offer up some kind of "sorry, bro", but the fact that they're not even counteracting this with any kind of PR spin is even more worrying in a strange way.

I repackaged Java 1.7U11 for deployment on 25 January. Today my colleague repackaged 1.7U17. At the moment, Java updates are averaging one per week since the end of January. That's absolutely ludicrous.

I repackaged U15 just yesterday, that being the latest version available at the time. Now I need to do U17. Unfortunately saying "No Java!" to everyone isn't an option because our VLE runs on it along with a million other crappy little educational programs.

It's great that Java security flaws are being found and addressed and actually fixed. It's making something that's already pretty tight by design (if not implementation) security-wise, more secure. Eventually they're going to get them all. Better the devil you know and all that.

Your main concern, as wise, aged and informed Ars readers, is what you're going to do when Java is too tight for the hackers to bother with any more. The next largest target is of course JavaScript in the browser, and the myriad clever new APIs that the browsers are beginning to support. WebGL looks like a juicy target to start with (no coincidence Microsoft refused to support it).

What is one to do then? Uninstall one's browsers too? The mind boggles.

Their "Java Guy" is busy slapping barely-tested fixes into the codebase and FTPing them up to their servers, he hasn't got a spare couple of days to dig deep into whatever godforsaken tool Oracle are using to generate that webpage. Next you'll want him to bother one of their army of sales guys or lawyers to do stuff for him. Tsk.

Java is still useful and some software still rely on them, especially scientific software such as MATLAB.

For those users I would recommend disabling the addons/plugin for the browser, e.g. IE, FirefoxThe plugin serve much less purpose and dramatically increase the chance of a security exploit. In all the vulnerabilities mentioned in recent days, they target the browser Java plugin.